A Week in the News: NoIP and Miniduke Returns

In the news this week, Microsoft took legal action against NoIP, a hosting company allegedly profiting from letting cybercriminals use their service to host malicious campaigns. The Miniduke advanced persistent threat campaign resurfaced this week as well.

NoIP

NoIP is a dynamic domain name service (DNS) provider. They provide a service that lets users purchase domain names for websites like any other DNS provider. The difference, in simple terms, is that Dynamic DNS systems let administrators easily update their domain names and IP addresses. This feature can be a valuable tool for cybercriminals seeking to evade detection from antivirus engines that would block the IP addresses of websites hosting malware or acting as a server controlling a botnet. Unfortunately in this scenario, plenty of non-malicious companies use Dynamic DNS and NoIP as well.

Microsoft claims it is “taking No-IP to task as the owner of infrastructure frequently exploited by cybercriminals to infect innocent victims with the Bladabindi (NJrat) and Jenxcus (NJw0rm) family of malware.”

Microsoft claims it is “taking No-IP to task as the owner of infrastructure frequently exploited by cybercriminals to infect innocent victims with the Bladabindi (NJrat) and Jenxcus (NJw0rm) family of malware.” NoIP contests claims that they support malware operations.

One of the ways that Microsoft disrupts malware operations is to acquire a temporary restraining order, a legal authority that gives the company the ability to seize domains and sinkhole domains used in malicious operations to reroute traffic to domains Microsoft controls. Sinkholes, which we have discussed here in the past, are a broadly acceptable method of disrupting the operation of botnets and other malware enterprises and are used in a variety of ways.

Per Threatpost’s explanation, researchers often will work with hosting providers to reroute traffic from malicious domains to ones controlled by the researchers or by law enforcement, helping to cut off the lifeline of the operations. Problematically, NoIP claims it was not contacted by Microsoft in this case.

The decision caused a stir in the security community. One reason for controversy is quite typical: what gives Microsoft – a private company with its own set of objective values, not a law enforcement agency – the authority to take what amounts to enforcement action against another company or group of individuals. In essence, it looks to some like Microsoft is policing the Internet based in their own interests. Unfortunately, those complaints came louder this time around, because Microsoft accidentally knocked a number of legitimate sites offline in the process of performing this particular takedown.

You can read the director of Kaspersky Lab’s Global Research and Analysis Team, Costin Raiu’s take here.

Miniduke is Back

The Miniduke advanced persistent threat (APT) campaign is back. Researchers at Kaspersky Lab first discovered the malware spying campaign in February of last year. At the time, it was being deployed to spy primarily on governments in Europe. Miniduke was unique among other APT actors at the time of its initial discovery for a number of reasons including that the malware communicated in part using Twitter and sent executable files designed to update malware on infected machines hidden in .gif files.

This second wave – examined in a Securelist article from Thursday – shows that the campaign has increased in both scope and complexity following its year long hiatus. In addition to targeting government, military, and energy organizations, the campaign is stealing data from online drug dealers as well, particularly those selling hormones and steroids. Furthermore, once the malware deployed by the campaign steals information from its targets, it breaks that information down into tiny parts and scatters those parts about to make it more difficult on researchers seeking to learn about the campaign.